This simple Splunk query will show us unique Splunk user logged into Splunk per day, as well as total count of log-ons.
|
1 |
index=_audit info=succeeded | timechart span=1d dc(user) as unique_users count(user) as logons_all_users |
List All Hosts Associated with All Indexes
Using the Splunk Tstats command you can quickly list all hosts associated with all indexes:
|
1 |
|tstats values(host) where index=* by index |
Hosts Taking a Long Time to Scan – Qualys
The following Splunk query will show the hosts taking an abnormally lengthy time to scan (helps find that needle in a haystack) within the Qualys Sourcetype:
|
1 |
sourcetype="qualys:hostDetection" eventtype=qualys_host_summary_event SCAN_DURATION> 1800 | sort -SCAN_DURATION | table IP, DNS, OS, SCAN_DURATION |
I take no credit for this. These queries were discovered on Tarun Kumar’s blog.
How to Check When Splunk is finished Indexing a log file
How can I tell when Splunk is finished indexing a log file? (Credit for this one goes to learnsplunk.com author who originally posted it on his website) By watching data from splunk’s metrics log in real-time. ************************************************************
|
1 |
index="_internal" source="*metrics.log" group="per_sourcetype_thruput" series="your_sourcetype_here" | eval MB=kb/1024 | chart sum(MB) |
************************************************************ or to watch everything happening split by sourcetype…. ************************************************************
|
1 |
index="_internal" source="*metrics.log" group="per_sourcetype_thruput" | eval MB=kb/1024 | chart sum(MB) avg(eps) over series |
************************************************************ And if you’re having trouble […]
Total Number of Hosts reporting in.
This query will list the total number of hosts reporting to the indexer for any specified time range. This only works for universal forwarders. If you have hosts reporting in over syslog (typically port 514) they will not be listed.
|
1 |
index=_internal sourcetype=splunkd | stats dc(hostname) as "Number of Hosts" |
Detailed list of Universal Forwarders Reporting to Indexer
The following query will list in detail information on the universal forwarders checking into the indexer. I’ve renamed some of the fields to be more user-friendly.
|
1 |
index=_internal sourcetype=splunkd destPort!="-"| stats sparkline count by hostname, sourceHost, host, destPort, version | rename destPort as "Destination Port" | rename host as "Indexer" | rename sourceHost as "Universal Forwarder IP" | rename version as "Splunk Forwarder Version" | rename hostname as "Universal Forwarder Host Name" | rename sparkline as "Traffic Frequency" | sort 0 - count |
